- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by Jay - 27.01.2025
Last edited by cbay - 27.01.2025
Opened by Jay - 27.01.2025
Last edited by cbay - 27.01.2025
FS#127 - Unrestricted File Upload on support Form
Summary:
A critical security vulnerability was identified in the file upload on the application. The flaw allows users to upload any file type, including executable files like .pdf, .php, and .exe, with invited members. This presents a significant risk, as malicious files could be uploaded and distributed, leading to potential exploitation and compromise of other systems.
Vulnerable url: https://admin.alwaysdata.com/support/add/
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
PoC Video and steps as well: https://1drv.ms/v/c/b36e2dc7e26ef1fd/ERV7BAigJE5EpdTopeZaAW4Bq8m8bu6nlQHAe94au4DyyQ?e=SgX4N8
Hello,
Uploaded files are not executed/interpreted on our servers. Our support team knows not to download and run any user-uploaded file.
Kind regards,
Cyril